Differences between revisions 1 and 3 (spanning 2 versions)
Revision 1 as of 2022-07-31 08:43:38
Size: 2508
Editor: PieterSmit
Comment:
Revision 3 as of 2022-08-05 09:20:02
Size: 2812
Editor: PieterSmit
Comment:
Deletions are marked like this. Additions are marked like this.
Line 5: Line 5:
== Install 2022 ==
 * on Mac install sops {{{
brew install sops
Line 6: Line 9:
# And helm for k8s if needed
brew install helm
}}}
 * install helm secrets plugin that uses sops {{{
helm plugin install https://github.com/jkroepke/helm-secrets --version v3.12.0
}}}
  
Line 13: Line 23:
    encrypted_regex: '^(password|.*key)$'

Security Mozilla Sops Secrets

Install 2022

  • on Mac install sops

    brew install sops
    
    # And helm for k8s if needed
    brew install helm
  • install helm secrets plugin that uses sops

    helm plugin install https://github.com/jkroepke/helm-secrets --version v3.12.0
  • example config

    $ cat .sops.yaml 
    # Note - script for key rotation k8sAzure/az-cli-helm-secret-rotate.sh
    # Note: get latest with $ AZ_KEY="helm-cust1-prd"; az keyvault key list-versions --id https://${AZ_KEY}.vault.azure.net/keys/${AZ_KEY} --query "[0].kid"
    creation_rules:
    
      - path_regex: env/(cust1|cust).*/(uat|prd)/secrets.yaml(.dec)?$
        encrypted_regex: '^(password|.*key)$'
        azure_keyvault: "https://helm-cust1-prd.vault.azure.net/keys/helm-cust1-prd/610aa30aa00b4184a07fa9cbb23463ef"
        pgp: "7C1949EFE7ECE6AF0400DB2B8C290E5B228A2B67"
    
      - path_regex: env/cust2.*/(uat|prd)/secrets.yaml(.dec)?$
        azure_keyvault: "https://helm-cust2-prd.vault.azure.net/keys/helm-cust2-prd/bb24f66d53f04827915c5b79f3e75a97"
        pgp: "7C1949EFE7ECE6AF0400DB2B8C290E5B228A2B67"
    
      - path_regex: env/cust3.*/(uat|prd)/secrets.yaml(.dec)?$
        azure_keyvault: "https://helm-cust3-prd.vault.azure.net/keys/helm-cust3-prd/750724205e5348d89e04b66b11651141"
        pgp: "7C1949EFE7ECE6AF0400DB2B8C290E5B228A2B67"
    
      - path_regex: env/cust4.*/(uat|prd)/secrets.yaml(.dec)?$
        azure_keyvault: "https://helm-cust4-prd.vault.azure.net/keys/helm-cust4-prd/ecca09fae61c45bf8ec1e14fee839b0c"
        pgp: "7C1949EFE7ECE6AF0400DB2B8C290E5B228A2B67"
    
      - path_regex: env/cust5.*/(uat|prd)/secrets.yaml(.dec)?$
        azure_keyvault: "https://helm-cust5-prd.vault.azure.net/keys/helm-cust5-prd/112647eb61f04d199c69c776a8597965"
        pgp: "7C1949EFE7ECE6AF0400DB2B8C290E5B228A2B67"
    
      # All dev tst uat
      - path_regex: secrets.yaml|env/.*/(dev|tst)/secrets.yaml(.dec)?$
        azure_keyvault: "https://helm-all-dev.vault.azure.net/keys/helm-all-dev/f8b2253f9af2407f8f870052ff2b233f"
        pgp: "7C1949EFE7ECE6AF0400DB2B8C290E5B228A2B67"
    
      # # Default catch all -filename_regex, or -path_regex with encrypted_regex
      # - azure_keyvault: "https://helm-all-dev.vault.azure.net/keys/helm-all-dev-nomatch/2532969fce7f46aab72a767e854ad9e4"
      #   pgp: "7C1949EFE7ECE6AF0400DB2B8C290E5B228A2B67"
      #   encrypted_regex: ".*_secret|.*password|.*pin"
    
    
    #The END
  • Script to rotate keys helm-rotate.sh

    #!/bin/bash
    echo "Decrypt and re-encrypt files ..."
    gitroot=$(git rev-parse --show-toplevel)
    for f in $(grep -irnl "sops-\|helm-" $gitroot/* | grep "yaml");
    do
    
    echo "f=$f"
    grep -n "sops-\|helm-\|vault.azure.net" $f
    helm secrets dec $f
    helm secrets enc $f
    rm $f.dec
    echo
    
    done


CategorySecurity

Security/MozillaSopsSecrets (last edited 2022-09-01 02:42:37 by PieterSmit)